Bringing trust back into the relationship

Browser security isn’t a new problem. Apple, Google, Microsoft and Mozilla have put a huge amount of effort into enabling consumers to have a secure browsing experience. But who’s thinking about the web site operators and their secure browsing experience?

Trust online
Internet trust is dependent on certification authorities; with TLS/SSL being the most commonly used technology for securing electronic commerce transactions online. It’s all about enabling the consumer to access web services and be reasonably confident they know who they are talking to.

That’s how it works most of the time. But as we’re seeing, with the increase in the Man-In-The-Middle (MITM) attacks and Man-In-The-Browser attacks, this level of ‘reasonably confident’ needs revisiting.

Trust is one sided
Despite the rise in MITM attacks, it’s fair to say that the focus of browser security to date has been directed towards the consumer. It allows the consumer to ‘trust’ they’re interacting with the real company/web site operator. The web site operator doesn’t have this. They have no idea who is talking to them. The way they deal with this is to train their developers to ‘never trust the browser’. But this can result in poor user experiences or simply not offering some services as they can’t be secured. In lots of ways, the web site operator is also a vulnerable party.

Let’s look at a couple of examples. Although web site operators use secure login, many of their consumers gladly and quickly check the “Remember me” box. After all, it’s so much easier. The need to remember all those different passwords with special characters is just too much. (The drive to make passwords more complex may, in fact, be introducing vulnerabilities but I’d best not get distracted – maybe a topic for another blog.) Back to the checked “Remember me” box.

By clicking this, there’s now a cookie on the consumer’s browser. Cybercriminals can exploit that cookie. They can move it to another browser and become the consumer. And how would the web site operator know? In the current browser security environment they wouldn’t.

The same is true when it comes to online advertising. It’s bots that are clicking on most of the online ads not human consumers. In fact, the Financial Times reported ad fraud will cost brands USD7.2bn this year.

Introducing two way trust
In an earlier post, I described how it is possible to secure the browser. In this web site operator example the advantage for them would be to create a trusted environment in any standard web browser. The web site operators would have a secure area to execute code, store data and could be made aware of tampering from the extension or software on the consumer’s device. On top of that, there would an extra layer of encryption that can be added to the traffic between the browser and operator.